From cabd4b54169356d298b05c826c3fd549c2fb22bf Mon Sep 17 00:00:00 2001
From: David Houghton <houghton@freeside.biz>
Date: Wed, 10 Sep 2014 16:54:37 -0400
Subject: [PATCH] ticket: 27309; use dbh->quote

Sorry, I shouldn't have missed this. I've gotten used to using either
DBIx::Class to construct queries for me or using whole prepared statements,
which handle the quoting automagically.  I've gotten out of practice with
SQL created piecemeal.
---
 httemplate/search/cdr.html | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/httemplate/search/cdr.html b/httemplate/search/cdr.html
index 10b386383..778799b1f 100644
--- a/httemplate/search/cdr.html
+++ b/httemplate/search/cdr.html
@@ -264,11 +264,9 @@ if ( $cgi->param('acctid') =~ /\d/ ) {
 if ( $cgi->param('accountcode') =~ /\S/ ) {
   my $accountcode = $cgi->param('accountcode');
   my @accountcode = map {
-    ( my $v = $_ ) =~ s/^\s+|\s+$//g;
-    if ( $v =~ /'/ ) { $v =~ s/'/\\'/g; $v = "E'$v'" }
-    elsif ( length $v ) { $v = "'$v'" }
-    length $v ? $v : ()
-  } grep /\S/, split /\R/, $accountcode;
+    ( my $v = $_ ) =~ s/^\s+|\s+$//g;    # trim margin whitespace
+    length $v ? dbh->quote($v) : ()
+  } grep /\S/, split /\R/, $accountcode;    # collect non-trivial lines
   if (@accountcode) {
     my $search = 'accountcode IN ( ' . join( ',', @accountcode ) . ' )';
     push @qsearch, $search;
-- 
2.11.0